1. Technical Field
The present disclosure relates to a countermeasure method for protecting sensitive data, circulating in an electronic component, against attacks aiming at discovering such data. It also relates to a portable device with a microcircuit, such as a smart card, implementing the method.
2. Description of the Related Art
Sensitive data can in particular be ciphering or deciphering keys, and more generally cryptographic data used or generated during cryptographic calculations, such as intermediate data of such calculations, and identifiers that must be kept secret.
Microcircuit devices handling sensitive data are sometimes the object of attacks aiming at determining such data. Amongst known attacks, SPA- (Simple Power Analysis) or DPA-type (Differential Power Analysis) attacks involve performing a statistical analysis of numerous measurements of currents and voltages entering and leaving the microcircuit upon the execution of a program by the microcircuit with various input data. The measurements obtained are used to deduce protected data that is processed or used by the microcircuit. With the same aim, EMA-type (Electromagnetic Analysis) attacks are based on the analysis of the electromagnetic radiation emitted by the microcircuit.
Attacks by error injection are also known which involve introducing disturbance into the microcircuit when it is executing sensitive algorithms such as cryptographic algorithms, or in order to trigger the execution of a downloading routine issuing stored data on a port. Such disturbance can be produced by applying to the microcircuit one or more brief lights or one or more voltage peaks on one of its contacts.
In order to fight these attacks that differ by nature, many quite different solutions have been found. The present disclosure relates more particularly to the solutions aiming to protect data when it is circulating in a microcircuit.
For this purpose, one well-known method involves ciphering each sensitive datum at the output of a memory or of a register or prior to sending it on a data bus, and deciphering the datum at the input of a register or of a memory or when it is received by a recipient entity of the datum. In reality, this solution only partially protects the data sent. Between the output of the deciphering circuit and the input of the register or of the memory, the datum circulates in circuits such as logic gates and multiplexers which produce a signature that is visible by an EMA- or SPA-type attack. The actual operation of writing in the memory or the register can also issue a signature.
It is also known to preload a register that is to receive a sensitive datum with a datum generated randomly to change the state of certain storing cells, and thus change the signature issued during the writing of a datum to be protected in the register. Patent application EP1475919 (US 2004/0162991) describes an anti-fraud method of injecting random data into output or intermediate registers, before they receive any sensitive data. This solution has the disadvantage of needing additional registers and multiplexers for each register to be protected. In addition, this solution protects registers, but not the logic circuits introducing the sensitive data into the protected registers. An attack by signature analysis can therefore make it possible to detect switches of logic gates of the logic circuits, and thus to determine sensitive data processed by these circuits.
Application WO 02/063821 describes a method for protecting a cryptographic calculation consisting of adding to the cryptographic calculation steps of masking input data and unmasking steps to restore the output data. This solution does not protect the logic circuits from attacks by signature analysis either.
It is therefore desirable to protect logic circuits and registers against attacks by signature analysis, without substantially increasing the complexity of the circuits.